According to reports, the US Department of Commerce ordered American companies not to sell their technology to NSO. This was in response to Pegasus spyware being used against journalists, government officials and activists. The regulator stated in a press release that the company was being added to the Entity List due to its threat to the rules-based international order if it is sold to repressive foreign countries.
Pegasus, which is a program that infects targets without warning, allows police and intelligence agencies access to text messages, photos and passwords of phones without leaving any trace. The Washington Post reported that spyware could infect a phone using a single invisible text message. A target would not have to click on any link or take any action to get their phone infected.
NSO's Pegasus spyware was recently in spotlight due to The Pegasus Project. This is a group of journalists that revealed a list of names possibly connected with the spyware. This list included journalists, activists and heads of state from all over the world, which NSO claims its spyware shouldn't be targeting. Pegasus Project also examined a few journalists' phones and found evidence of spyware. NSO claims that these are the only clients to which its software and services will be sold.
Pegasus was also a headline-grabbing company before this year. Mexican journalists were reported to be targeted by the tool. WhatsApp sued NSO over the use of an exploit in the messaging platform to hack people's phones. The FBI is believed to have at least investigated the company in connection to Jeff Bezos's phone being hacked.
NSO claims it cannot target US-based telephone numbers
The Department of Commerce states (pdf) that NSO has been added to the entity listing. This prevents US companies exporting to it as the company presents a significant risk of becoming or being involved in activities that are against the national security and foreign policy interests of the United States.
This could be related to US affairs beyond its borders. The NSO has stated that the tool cannot be used to target American telephone numbers. Pegasus Project and Department of Commerce have not disputed that fact.
NSO is not the only company that was added to the entity listing on Thursday. Candiru, an Israeli IT company that sells spyware (which is reportedly used for similar purposes) is also being blacklisted. Two more companies were cited by the Department of Commerce, one from Russia and one in Singapore. They are accused of selling hacking tools.